Tuesday, June 07, 2005

Firefox Flaw


Picture credit: http://www.detstar.com
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThough the odds of an exploit appear low, this vulnerability in the Mozilla and Firefox browsers just resurfaced after a seven-year hiatus:

...For a spoofing attempt to work, a surfer would need to have both the attacker's Web site and a trusted Web site open in different windows. A click on a link on the malicious site would then display the attacker's content in a frame on the trusted Web site, Secunia said. The company advised people not to visit trusted and untrusted Web sites at the same time...


Here's one way a phisher could exploit this weakness:

  • User visits a malicious site, via emailed hyperlink or equivalent means

  • Cross-site scripting (XSS) could used to expose one or more financial sites that victim has visited

  • Malicious site opens financial website, perhaps as a background window

  • Malicious site feeds bogus sign-in form into financial website

  • User visits financial site window (perhaps later on) and authenticates

  • Authentication data sent to phisher


  • Nefarious, but feasible.

    News.com: Spoofing flaw resurfaces in Mozilla browsers
     

    No comments: